We write stuff

Last Friday (21st October) morning began much like any other on the East coast of the United States. By mid-day, the Internet had begun to experience issues. By the evening, much of the public Internet was unreachable. Large sites such as Twitter, Amazon, Air B&B, Spotify, Reddit, The New York Times, PayPal, and the PlayStation Network and many more were for most of the US inaccessible. The sky that everyone had suspected would at some point fall down dramatically was definitely looking that little bit lower. A sustained and significant distributed denial of service attack against Dyn Inc. slowed much of the US Internet to a crawl, resulting in lack of access to all manner of resources, and much of the media began to freak out. For anyone involve (even tangentially) with IT security and network administration this turn of events was not much of a shock, but did provide an interesting indicator of the fragility of the infrastructure on which so many rely. According to reports that have emerged since, one of the major DNS service providers had been largely left inoperable owing to a botnet based around Mirai. In essence, toasters (well, IP cameras) had stopped the Internet working for much of America.

Earlier this month, Dutch security researcher, Willem de Groot published a report concerning credit card skimming scripts that had been installed on a number of online retail sites (its available here for anyone who hasn’t already read it: https://gwillem.gitlab.io/2016/10/11/5900-online-stores-found-skimming/) . Magento based credit card stealing scripts have been around in the wild for a while (the earliest reports go back as far as 2015) but what makes de Groot’s research so interesting is the scale of the problem (initially 6000+ affected sites, now down to 4859 thanks to outreach and patching). Before addressing that however, it is worth explaining exactly what Magento is and how this attack works.

A few days ago, details emerged of a new draft API standard proposed by two Google engineers. The WebUSB API is a proposed mechanism for allowing the update of device drivers via an internet connection. The WebUSB API as envisioned will if implemented provide a mechanism for USB connected hardware devices to be updated using a web page. In the example provided the API instance can allow for both drivers to be installed from a remote web directory, in addition to the installation of firmware updates. Rather than having to scour hardware manufacturers’ sometimes seemingly impenetrable websites, the WebUSB API allows devices to configure and update themselves via the Internet. Although this may reduce installation overhead, it may well have the unintended consequence of increasing security overhead and introducing all manner of risk.